A look at how AI and blockchain could solve data management and integrity issues in a life sciences environment and the challenges posed by GDPR compliance

Blockchain and artificial intelligence (AI) are opening new doors towards improving data efficiency in the life sciences industry. But these technologies may also impose unique limitations and curtail the traditional role of data controllers. For example, system data is the legal responsibility of the data controller, who must also comply with data protection regulations. But a blockchain is controlled not by a single administrator, but by numerous blockchain users. So how are data regulations such as the General Data Protection Regulation (GDPR) enforced on a blockchain?

This is one of the topics that Patrice Navarro, a Hogan Lovells counsel in Paris, addressed as a speaker at the 2018 Paris Life Sciences Seminar on AI and Blockchain. In this hoganlovells.com interview, Patrice discusses potential blockchain applications, benefits, and concerns in the life sciences field, including one that is beginning to draw more attention: because blockchain transactions will always remain in the chain and cannot be deleted, how do we reconcile the rights of individuals under the GDPR to request that their health care data be removed?

You’ve said that blockchain could be a tool to make AI more efficient. Would you expand on that, and also on data protection as it relates to AI?

Patrice Navarro: Yes. The reason is that Al will be a way to collect and keep data on which the algorithm will make its calculations, based on a full blur of information that could be enriched from everywhere without having one single registry. So that would be much easier to have information from everywhere accessible to the AI.

That’s why blockchain is particularly interesting in health care, because by nature, the health sector has a multiplicity of actors and stakeholders. One of the key points of the health sector is that you have the patients, you have the health care organizations and professionals, you have the reimbursing bodies and authorities, you have drug manufacturers and device manufacturers, and everyone has to work together as a group to improve the patient’s health.

So blockchain particularly adapts to that, because with blockchain, you can import that information from everywhere and we will be able to access that information and be sure we have the latest data. We don’t have to rely on one single registry somewhere, or one data server, or one authority holding everything — and that might not contain the most up-to-date data.

It’s very practical in this sector in particular to manage, for example, your own medical file. One of the speakers at the seminar earlier this year presented a solution where you have a card in your wallet and with this card, each time you meet your physician or any health care professional, he or she could have access to your file with all of your health care data. Of course, you would have to provide a password to allow the medical professional access. But that way everything can be collected easily, and you as a patient just have to carry your card and that’s all. It’s a plastic card, very simple, easy to put it into a computer or access to a Web interface to have all the data.

In this future state, is all the data on the card, and will that data be managed by the blockchain?

Navarro: There’s nothing on the card — it’s just a plastic card with a QR code on it. You have the password or you can unlock it with your fingerprint, and then you can access the data from the blockchain, and behind it all the security is there on the private blockchain.

That’s one of the many examples or use cases we see where you make use of the simplicity to access always updated data on the blockchain. Another speaker on this subject was a consultant specializing in advising life sciences companies on blockchain who shared many use case examples. For instance, the pharmaceutical industry has a particularly complex supply chain, with many varied stakeholders involved in the manufacture and distribution of a single drug. Through a blockchain, you are able to have the proof that all the elements are there, you know where they’ve come from, you know when they’ve been manufactured, and everything can be accessible and easily available that way.

You can also use blockchain for clinical trials. There’d no longer be a reason to have a paper registry with all the information that you have to share amongst the investigators, the pharma company, and the authorities. Here, everything related to the clinical trial would be accessible from various points on the blockchain. You can enrich the clinical trial file with data coming from everywhere. And one of the key points of the blockchain is that you can prove that it is the most current, true data and no one was able to make changes, because there’s traceability of every change made. So you are able to use it as a proof of what you’re seeing: this is the time, the date — everything is perfectly clear. There’s no way someone could alter it.

But — there is always a “but.” When you mix blockchain with data protection regulation, and specifically the GDPR, you have a conflicting principle.

What conflict does blockchain have with the GDPR?

Navarro: The principle of the GDPR is not really mixing well with the technical principle of the blockchain. One of the key points in that application is to identify who is the data controller and the data processor. You almost always start with that.

In blockchain, it’s pretty hard to identify who is the data controller — who is liable for the data processing operation — because it works in nodes. You have nodes everywhere. You don’t really know where the nodes are. And if you take the GDPR definition, you could say that each node is a data controller, but it doesn’t work really that way, so a technical approach is not the best way to see it.

For each blockchain and use case, we have to think in terms of the data controller. It’s a complex exercise to determine who the data controller and the data processor is. If we go back to the example of the health care card, you have the provider of the tools; maybe the service provider could be seen as the data controller. But in fact, he or she has no control over the data. None. It’s just an empty shell. And all the doctors, stakeholders, and patients are putting data in and all are managing some data processing operation, but the service provider has no control over it. So each time, each use case we will have to think about who can be the data controller in this particular use case.

The other thing that we have with that application principle is giving rights to individuals. You have to apply for permission to access that subject, you have to provide the right of access, you have to provide the right to object and delete your data under the GDPR. And that’s where we encounter a major difficulty with the blockchain, you cannot delete. That means the right to object, the right of erasure of your personal data, cannot be implemented like in a traditional centralized database. There’s no way around it. You cannot have blockchain and the full-fledged right of erasure. So we will have to find ways to make that work.

And the conclusion, of course, might change when we are looking at something that is technically new. At the beginning of the Internet, there were a lot of questions about how to apply existing regulations to what was represented as a cloud. When we were talking about the highways of information, everything was kind of blurry, saying that the legal rules will not apply to the Internet, and we ended up seeing that legal rules apply to the Internet. In the end, I think it will be the same with the blockchain. It’s simply that case law will help us adapt to the blockchain.

About Patrice Navarro

As counsel in our Commercial and Privacy Group, Patrice Navarro focuses his practice on data privacy, health data and connected medical devices, contracts and life sciences. He brings his extensive experience and enthusiasm for technology-related matters in contract drafting and in solving privacy issues. He has 14 years of experience dealing with a variety of complex and strategic agreements, including two years of experience with a preeminent judicial leader at the Court of Appeal of Paris, specializing in IT contracts.